Jon Galloway

Jon's News Wrapup - May 8, 2008 Edition

Here's another monthly installment in my news wrapup series. I've fallen into publishing them at the end of the first week of the month, because so much stuff seems to happen in the first week of each month that it'd be a shame to sit on it for three weeks.

Please comment if these are wrapup posts are valuable to you. I'm harvesting them from my ma.gnolia feed, so if few people are reading them, I'll just point you over to that feed and dispense with all the html formatting, organization, and comment. Let me know if I missed any big news this month, too.

Microsoft + Yahoo? Nope.

After a few months of negotiating with a Yahoo! who clearly didn't want to merge, Microsoft withdrew their offer. Yahoo! took some pretty extreme measures to prevent a hostile takeover, indicating that they'd essentially rather give their business to Google than merge with Microsoft. There's some speculation that Microsoft's just doing this to drive Yahoo's stock price down so they can buy them cheaper, but my guess is that they're done here.

Hey, straw poll: Do you actually use Yahoo! search? I don't know anyone that does.

• url

  Microsoft Withdraws Proposal to Acquire Yahoo!

  
  “We continue to believe that our proposed acquisition made sense for Microsoft, Yahoo! and the market as a whole. Our goal in pursuing a combination with Yahoo! was to provide greater choice and innovation in the marketplace and create real value for our respective stockholders and employees,” said Steve Ballmer, chief executive officer of Microsoft. “Despite our best efforts, including raising our bid by roughly $5 billion, Yahoo! has not moved toward accepting our offer. After careful consideration, we believe the economics demanded by Yahoo! do not make sense for us, and it is in the best interests of Microsoft stockholders, employees and other stakeholders to withdraw our proposal,” said Ballmer.
  • microsoft
  • yahoo
  • jongalloway
  • May 03, 2008 at 05:27 PM
  • May 03, 2008 at 05:27 PM
• url

  Microsoft To Yahoo: Take a Hike! - GigaOM

  
  "A few days ago I had pointed out that Microsoft’s bid for Yahoo was a checkmate kind of a move: Yahoo couldn’t win from this attack. Today, by pulling its bid for the Sunnyvale, Calif.-based search company, Microsoft proved that again, and showed why it is still the Prince Machiavelli of Technology."
  • microhoo
  • jongalloway
  • May 04, 2008 at 10:36 PM
  • May 04, 2008 at 10:36 PM
• url

  Mary Jo Foley on the MicroHoo near-miss

  
  "Some — probably many — are going to portray Microsoft’s decision announced on May 3 to withdraw its Yahoo bid as a victory for Yahoo and a defeat for Microsoft Chairman Steve Ballmer & Co. Me? I see this as the smartest thing Microsoft could do. In fact, I’d go so far as to say Microsoft’s decision to walk restores my faith in the future of the company."
  • microhoo
  • microsoft
  • yahoo
  • jongalloway
  • May 04, 2008 at 09:53 PM
  • May 04, 2008 at 09:53 PM
• url

  The Secret Diary of Steve Jobs: Ballmer's brilliant move

  
  "This fantastic bait-and-switch maneuver on Yahoo just proves it. In one fell swoop Ballmer has upended this entire market space, roiled up everyone, forced all of his competitors into more difficult positions -- and none more so than Jerry Yang of Yahoo who looks more foolish than ever right now."
  • microsoft
  • yahoo
  • microhoo
  • jongalloway
  • May 04, 2008 at 03:42 PM
  • May 04, 2008 at 03:42 PM

The Cloudy Mesh

After years of vague PowerPoints, we finally get a look at Mesh. I have to say I'm impressed, although I'm suspicious of any software that takes years to ship a beta these days. The web-based remote desktop thing was a cool surprise. I guess we'll need to see what's being built on this platform to see the real value here.

• url

  Ray Ozzie: Introducing Live Mesh

  
  "In his first Channel9 interview, Ray Ozzie, Microsoft's Chief Software Architect sits down with Jon Udell to talk about Live Mesh, a new technology and platform that enables synchronization and storage "to the cloud." You'll hear about the history of Live Mesh, how it has been influenced by Ray's previous work on products like Groove and Lotus Notes. Ray also discusses the core technology that forms the basis for Live Mesh including REST APIs, XML, and synchronization APIs that enable you sync your Mesh across multiple devices."
  • mesh
  • jon udell
  • ray ozzie
  • jongalloway
  • May 04, 2008 at 10:25 PM
  • May 04, 2008 at 10:25 PM
• url

  Hands on with Live Mesh | Channel 10

  
  "Live Mesh is a new piece of technology from Microsoft that allows you to do all this and more including a 5GB Live Desktop 'in the cloud'. George Moromisato and Noah Edelstein from the Live Mesh team came into the Channel 10 studios and gave us a demo of the Live Mesh Technical Preview"
  • microsoft
  • mesh
  • jongalloway
  • May 04, 2008 at 10:24 PM
  • May 04, 2008 at 10:24 PM
• url

  Mary Jo Foley's wrapup on Mesh.com

  
  "Microsoft took the wraps off Live Mesh at 9 p.m. PDT on April 22, just ahead of the service’s official debut at the Web 2.0 Expo this week. Live Mesh is an ambitious initiative — a combination of a platform and a service — and one that’s been more than two years in the making, according to company officials with whom I spoke earlier this week. I’d go so far as to say Live Mesh will be Chief Software Architect Ray Ozzie’s “make it or break it” project, given Ozzie has been setting the stage for Live Mesh since October 2005, when he outlined his pie-in-the-sky goals for it (without calling it Live Mesh) in his “Internet Services Disruption” memo to the troops."
  • jongalloway
  • May 04, 2008 at 10:12 PM
  • May 04, 2008 at 10:12 PM
• url

  The Ozzie Memo: Software is Dead, Long Live the Web

  
  "In a remarkable strategy memo to employees (embedded below), Ozzie essentially shifts Microsoft’s mission from one of creating software for the PC and stand-alone servers to creating an interconnecting mesh between devices and people. He is not abandoning Windows or Office, but he is saying that the value of Microsoft’s software will increasingly depend less on what it can do on its own than what it can do with others."
  • microsoft
  • jongalloway
  • Apr 29, 2008 at 12:42 AM
  • Apr 29, 2008 at 12:42 AM
• url

  Microsoft Live Mesh to get more competition — from Sun | All about Microsoft | ZDNet.com

  
  "At the opening day of JavaOne on May 6, Sun officials began laying out their vision for a future cloud-computing platform, code-named Hydrazine, that Sun plans to field against competitive offerings from Microsoft, Google, Amazon and others. Robert Brewin, Sun Chief Technology Officer and Distinguished Engineer, described Hydrazine to me as a combination of Amazon’s Elastic Cloud, Microsoft’s Live Mesh and Google Analytics all rolled into one. It’s a platform that Sun is building on top of JavaFX, which is Sun’s rough equivalent to Adobe AIR and Microsoft’s Silverlight. Sun announced JavaFX a year ago."
  • javafx
  • sun
  • ria
  • jongalloway
  • May 08, 2008 at 12:30 AM
  • May 08, 2008 at 12:30 AM
• url

  Architecture astronauts take over - Joel on Software

  

  "The hallmark of an architecture astronaut is that they don't solve an actual problem... they solve something that appears to be the template of a lot of problems. Or at least, they try. Since 1988 many prominent architecture astronauts have been convinced that the biggest problem to solve is synchronization."

  Note: This is one of those Joel posts that's so poorly written I close the browser in disgust and come back to it several times to actually finish it. Nevertheless, I think his general point here is worth considering.

  • mesh
  • microsoft
  • jongalloway
  • May 08, 2008 at 01:26 AM
  • May 08, 2008 at 01:26 AM

Xobni Goes To Public Beta, But Not To Redmond

I've been using the Xobni Outlook plugin for a while, and I've gotten totally hooked on it. It's hard to imagine using Outlook with out it. Microsoft offered to buy them, but Xobni turned it down. I think that was a dumb move, because I think that their only proven value is in an Outlook plugin, and nobody's going to pay them more for it than Microsoft. Anyhow, Xobni is in an open beta now, so give it a shot.

• url

  Xobni makes Outlook better, but where's the business? | Webware : Cool Web apps for everyone

  
  "Here's what Xobni has up its sleeve: Xobni the app runs on Xobni the platform. This platform has hooks deep into Outlook. The platform is what enables Xobni to graft a viewing pane into Outlook, something other plug-ins can't do. It can also integrate into Outlook's default search bar (it doesn't, yet). The platform is what gives Xobni access to all the message data that it uses without bogging down the Outlook host app. Xobni plans to do two interesting things with the platform: First, write hooks into other e-mail apps (like Yahoo Mail and Gmail), and second, make the platform available to other vendors. So, for example, if Salesforce.com wants to write a plug-in that tightly integrates its CRM data into Outlook or whatever e-mail app its customers are using, Xobni's toolkit could make that work. Salesforce presumably would make money from such a feature, which Xobni would profit from as well."
  • xobni
  • jongalloway
  • May 05, 2008 at 11:18 PM
  • May 05, 2008 at 11:18 PM
• url

  Xobni opens public beta

  
  "Xobni, a company that solves the growing email overload problem, today launched its highly-anticipated Microsoft Outlook add-on that organizes your inbox by relationships. With email volume growing rapidly and monopolizing many people's workdays, Xobni helps users quickly find and understand what's in their inbox, freeing up wasted time. Displayed as a sidebar in Outlook, Xobni's proprietary technology analyzes email in the same way your brain naturally understands communication. The rich data provided by Xobni offers a quick glimpse into your contacts--how you've communicated with them, how they've interacted with each other and what files have been exchanged. This unique set of data, personalized for each user's set of contacts, exposes the social architecture buried in every inbox."
  • xobni
  • microsoft
  • jongalloway
  • May 04, 2008 at 11:16 PM
  • May 04, 2008 at 11:16 PM
• url

  Xobni Walks Away From A Microsoft Deal

  
  "After negotiating over the past few weeks with Microsoft and signing a letter of intent to be acquired, e-mail startup Xobni has walked from the deal, according to a source close to the negotiations. The deal would have been a natural for Microsoft, which was offering to buy the two-year old startup for somewhere in the $20-million range."
  • xobni
  • microsoft
  • jongalloway
  • May 04, 2008 at 11:14 PM
  • May 04, 2008 at 11:14 PM

.NET News

Nothing too exciting happened in the .NET world. A few scattered announcements and releases:

• url

  ASP.NET MVC Source Refresh Preview - ScottGu's Blog

  
  "This update includes a number of improvements to ASP.NET MVC. Some of these include:

  1. In addition to posting the source code for the ASP.NET MVC framework, we are also posting the source code for the unit tests that we use to test it. These tests are implemented using MSTest and the open source Moq mocking framework. A VS 2008 project file for the unit tests is included to make it easy to build and run them locally within your VS 2008 IDE.
  2. Significantly easier support for testing Controller classes. You can now unit test common Controller scenarios without having to mock any objects.
  3. Several nice feature additions and usability improvements to the URL routing system"
  • microsoft
  • asp.net mvc
  • jongalloway
  • May 06, 2008 at 12:36 AM
  • May 06, 2008 at 12:36 AM
• url

  Visual Linq query builder for Linq to Sql

  
  "The Visual Linq query builder is a Visual Studio 2008 addin. It's a designer that helps you create Linq to Sql queries in your application. Both C# and VB projects are supported."
  • linq
  • microsoft
  • jongalloway
  • May 05, 2008 at 11:12 PM
  • May 05, 2008 at 11:12 PM
• url

  XNA Team Blog : Announcing: XNA Game Studio 3.0 Community Technical Preview (CTP)

  
  "Today, we are delivering the first Community Technical Preview (CTP) of XNA Game Studio 3.0, giving you the ability to build games for the entire family of Zune media devices. This feature gives you access to the majority of the XNA framework APIs while retaining a seamless sense of integration with the Zune media experience. In addition, this release now requires either Visual Studio 2008 Standard Edition and higher (C# language support must be installed), or Visual C# 2008 Express Edition. Keeping with Zune media experience, the XNA Game Studio 3.0 integration includes discoverability/access to user’s non-DRM music – allowing you to customize background soundtracks or create real-time visualizations. In addition, we’ve announced the ability to have multiple nearby Zunes wirelessly engage in an ad-hoc social gaming experience."
  • zune
  • xna
  • microsoft
  • jongalloway
  • May 07, 2008 at 02:52 PM
  • May 07, 2008 at 02:52 PM
• url

  Introducing LINQ To Regex (Roy Osherove)

  

  Roy Osherove wrote a LINQ provider that builds regular expressions using a fluent language syntax:

  RegexQuery.Against(input) where match.Word.Repeat.AtLeast(1).IsTrue() select match;

  See my previous post on Regex's and fluent interfaces. 

  • jongalloway
  • May 07, 2008 at 09:14 AM
  • May 07, 2008 at 09:14 AM
• url

  Scott Hanselman's Computer Zen - The Weekly Source Code 25 - OpenID Edition

  
  Scott Hanselman has the definitive writeup on how to implement OpenID in .NET circa May 2008.
  • openid
  • dotnet
  • jongalloway
  • May 04, 2008 at 04:04 PM
  • May 04, 2008 at 04:04 PM

General Microsoft News

• url

  Windows XP Service Pack 3 includes IE6

  

  "XPSP3 will continue to ship with IE6 and contains a roll-up of the latest security updates for IE6. If you are still running Internet Explorer 6, then XPSP3 will be offered to you via Windows Update as a high priority update. You can safely install XPSP3 and will have an updated version of IE6 with all your personal preferences, such as home pages and favorites, still intact."

  XP Service Pack 3 will include IE6. That's frustrating, because this was a good opportunity to migrate millions of upgrade-averse folks to IE7 in the name of security (and, incidentally, eliminating a huge amount of web developer pain).

  • microsoft
  • jongalloway
  • May 05, 2008 at 11:59 PM
  • May 05, 2008 at 11:59 PM
• url

  Mass scripted SQL Injection Attacks on IIS Web Servers

  
  "You may have seen recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week. Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies."
  • microsoft
  • iis
  • jongalloway
  • May 04, 2008 at 10:30 PM
  • May 04, 2008 at 10:30 PM
• url

  Microsoft hires Photoshop guru from Adobe

  
  "Mark Hamburg has decided to leave Adobe after having worked at the company for over 17 years. Mark joined Adobe in the Fall of 1990, not long after Photoshop 1.0 was released and was instrumental in devising many of the ‘wow’ features we have all come to love and rely on daily when we work with Photoshop. Mark left the Photoshop team after Photoshop 7 shipped and went to work developing a new paradigm in image processing which would finally ship as the product named Adobe Photoshop Lightroom."
  • microsoft
  • adobe
  • jongalloway
  • May 04, 2008 at 10:10 PM
  • May 04, 2008 at 10:10 PM

Rich Internet Applications

• url

  An update on JavaFX

  
  "Sun introduced JavaFX, a rich Internet application environment set to compete with Adobe Systems' AIR and Microsoft's Silverlight."
  • javafx
  • sun
  • jongalloway
  • May 08, 2008 at 12:31 AM
  • May 08, 2008 at 12:31 AM
• url

  Adobe Open Screen Project - Open Specifications and Open Technology to Help Expand Flash Player Reach

  
  "The biggest part of the announcement in my mind is that we’re finally removing the restriction on the use of not only the SWF specification but also the FLV and F4V specification. We think we’ve gotten to a point where users don’t want different versions of a Flash Player and that there isn’t much incentive to create one, so opening up and removing the restrictions on the SWF, FLV, and F4V spec is a way to show that."
  • adobe
  • jongalloway
  • May 06, 2008 at 12:26 AM
  • May 06, 2008 at 12:26 AM
• url

  An Update to Deep Zoom Composer

  

  "Ever since we released Deep Zoom Composer during MIX, there has been a ton of great feedback you have all sent us on what you liked and what you would like to see improved in future versions. To give you a sneak peek at where we are currently, we're releasing an updated version of Deep Zoom Composer for you all to play with."

  Feature overview:

  • Improved Exporting
  • Better Design Experience
  • Updated Collections Export
  • Greater Access to Help
  • silverlight2
  • jongalloway
  • May 05, 2008 at 11:17 PM
  • May 05, 2008 at 11:17 PM
• url

  Silverlight Roadmap questions

  
  Some info on codecs, image support (no GIF), release timing, etc.
  • silverlight2
  • jongalloway
  • May 05, 2008 at 11:16 PM
  • May 05, 2008 at 11:16 PM

Software You Should Know About

• url

  OpenOffice.org 3.0 Beta is available

  
  "OpenOffice.org 3.0 will support the upcoming OpenDocument Format (ODF) 1.2 standard, and is capable of opening files created with MS-Office 2007 or MS-Office 2008 for Mac OS X (.docx, .xlsx, .pptx, etc.). This is in addition to read and write support for the MS-Office binary file formats (.doc, .xls, .ppt, etc.). OpenOffice.org 3.0 will be the first version to run on Mac OS X without X11, with the look and feel of any other Aqua application. It introduces partial VBA support to this platform. In addition, OpenOffice.org 3.0 integrates well with the Mac OS X accessibility APIs, and thus offers better accessibility support than many other Mac OS X applications."
  • openoffice
  • jongalloway
  • May 07, 2008 at 09:27 AM
  • May 07, 2008 at 09:27 AM
• url

  Search Commands

  
  "Search Commands helps you find commands, options, wizards, and galleries in Microsoft Office 2007 Word, Excel and PowerPoint. Just type what you’re looking for in your own words and click the command you need. Search Commands also includes Guided Help, which acts as a tour guide for specific tasks."
  • microsoft
  • office
  • jongalloway
  • Apr 29, 2008 at 12:37 AM
  • Apr 29, 2008 at 12:37 AM
• url

  Pointui, the coolest thing I've installed on my Windows Mobile Phone, gets an update.

  

  "Pointui (pronounced point-you-i) has been built from the ground up and sets the benchmark in pioneering the delivery of total user experience, never before achieved on a Windows Mobile device."

  Pointui is a great addon for Windows Mobile phones. It's free, it's a simple program that doesn't involve any frightening ROM flashes or the like, and it completely changes the way you use your phone.

  • windows mobile
  • jongalloway
  • Apr 29, 2008 at 12:41 AM
  • Apr 29, 2008 at 12:41 AM
• url

  Start++ Updated

  

  "Start++ is an enhancement for the Start Menu in Windows Vista. It also extends the Run box and the command-line with customizable commands. For example, typing "w Windows Vista" will take you to the Windows Vista page on Wikipedia!"

  I've been using Start++ for a while; there's a new update out. It turns the Vista Start Menu into a pretty nice application launcher.

  • windows vista
  • jongalloway
  • Apr 29, 2008 at 12:40 AM
  • Apr 29, 2008 at 12:40 AM

Miscellany

• url

  Clay Shirkey on Social Surplus: Explaining why people are giving so much away for free

  

  "And what's astonished people who were committed to the structure of the previous society, prior to trying to take this surplus and do something interesting, is that they're discovering that when you offer people the opportunity to produce and to share, they'll take you up on that offer. It doesn't mean that we'll never sit around mindlessly watching Scrubs on the couch. It just means we'll do it less."

  A common response to the open source model is "How can people give work away for free?" I think this is a pretty good answer: there are a lot of talented people with time on their hands who are happy to have something better to do with it than watch sitcoms.

  • clay shirkey
  • jongalloway
  • Apr 29, 2008 at 12:39 AM
  • Apr 29, 2008 at 12:39 AM
• url

  RumorL AT&T to cut the price of Apple’s new iPhone

  

  "When the 3G iPhone is introduced this summer, AT&T, the exclusive U.S. iPhone sales partner with Apple, will cut the price by as much as $200, according to a person familiar with the strategy. AT&T is preparing to subsidize $200 of the cost of a new iPhone, bringing the price down to $199 for customers who sign two-year contracts, the source says. Apple is expected to have two versions of the new iPhone, an 8-gigabyte-memory and a 16-gigabyte-memory model with price tags widely expected to be $399 and $499. AT&T and Apple declined to comment."

  I still think the iPhone is a sucker deal at this point. They could give them away for free and it would still be a ripoff, given the exorbitant prices they charge for the data plans. But hopefully now you'll get ripped off on the payment plan, and this time you'll at least get 3G with it.

  • iphone
  • apple
  • jongalloway
  • May 04, 2008 at 10:17 PM
  • May 04, 2008 at 10:17 PM
• url

  SourceForge Now OpenID-Friendly

  

  "SourceForge, an immense base of open software development and discussion, today announces its newly instated mechanism for accepting OpenID users. According to an estimate provided by the website, this enables some 250,000,000 potential OpenID registrants to join the collaborative, which SourceForge already counts to be some 1.84 million strong. Naturally, the chair of the OpenID Foundation, Scott Kveton said that this move will be a huge step forward for the organization’s efforts."

  Passwords are slowly dying. Hurrah!

  • openid
  • jongalloway
  • May 07, 2008 at 01:37 PM
  • May 07, 2008 at 01:37 PM

[Utility] TeraCopy removes the file copy pain from Windows Vista

Last September, I asked why aren't Windows file copies restartable? It's a huge productivity killer - and very frustrating - when you're copying a large file from a network share or over a VPN and the copy fails when it was 80% complete. At that point, your file copy has just failed. Try again and hope it works this time.

And I'm not the first person to notice that  file copying is horribly slow in Windows Vista. To be fair, file copying has been substantially improved in Vista SP1, but it's still not quick.

TeraCopy makes file copies work... and it makes them fun!

Well, as fun as you can have copying files, anyhow...

Back in January, Ralph linked to TeraCopy. I gave it a shot and found that it really did work pretty well. Being difficult, I just had to look around for something else. I tried a bunch of alternatives including Copy Handler and various Robocopy GUI's. TeraCopy's my favorite.

TeraCopy's shell integration into Explorer is really smooth. For instance, I'll select a bunch of big files in one Explorer window and hit control-c, then hit control-v in another Explorer window and TeraCopy's copy dialog pops up. Here we can see the progress of each file as well as the entire group:

Notice that nice Pause button. Also nice is that, should my VPN drop or the copy fail for any other reason, that button changes to Resume and I can continue the copy from where it left off. Hitting the More button in the lower left expands the dialog to show the complete status of the copy:

The latest official release of TeraCopy is 1.22, although there is a TeraCopy 2 beta release available which adds some nice new features - it's nice to use a product that's under pretty active development. I've been really happy with TeraCopy - give it a shot!

My first MVP Summit

I really enjoyed my first MVP Summit as a rather freshly minted Microsoft ASP.NET MVP of all of six months. I struggle with writing about that kind of thing, since MVP posts often turn into "I heard some awesome new secrets, can't tell you, giggle giggle, bye!" taunts, but having been to one I don't think that's so much of a problem. I did hear some new things, but the real highlight was the face to face meetings with old and new friends.

Faces, meet names

• I finally got to meet Barry Dorrans in person. We've been commenting on each other's blogs since 2004, and we've been in closer contact lately due to Barry's involvement in Subtext, CardSpace and SharpSTS. Barry may be the only a person who's both an expert in developer security (an MVP in it, to be precise) and able to blend in with normal humans.
• Keith Elder is a force to be reckoned with. I believe he's the one who taught me the lesson about leaving my phone unattended, for which I thank him. I guess. Oh, and he's in the Witty posse.
• Dustin Campbell is in the process of moving from DevExpress to Microsoft. And he's an F# enthusiast. And much bigger than I am. And, if I remember correctly, I've publicly insulted him recently. Agitate and observe.
• Dave Donaldson (a.k.a. arcware) is trouble. But he should have called himself arcwelder instead of arcware. That'd be cooler.
• Javier Lozano and I have "met" this past year via Twitter, and it was great to meet him in person. We talked for a while Tuesday night about a variety of things - my experiences working on Video.Show, Javier's very interesting thoughts about the way language impacts our approach to programming languages (including a Spanish-based .NET programming language he wrote called Azul), and on dynamic languages in general.
• Laurent Bugnion is another person I've corresponded with via Twitter. He's very knowledgeable about WPF and Silverlight, and we talked for a long time at the ASP.NET MVP dinner.
• I met and talked to a ton of other people, and I'm sure I'm leaving some off the list. Sorry about that. I'm not mentioning most of the folks I've met previously, (Rick Strahl, Joe Brinkman, etc.) because... oh, wait, I just did.

Lunch With LazyCoder

LazyCoder, a.k.a.  Scott Koon, has been running an awesome blog since about nineteen-ought-seven. He's especially skilled with JavaScript frameworks, but in my personal experience he seems to omniscient and Turing complete. I've been following him on Twitter lately, and we've both been contributing to the Witty Twitter client. I was looking forward to an opportunity to meet him to ensure that he wasn't just a SkyNet prototype. So, Steve Harman, Barry Dorrans, and I wandered off from the summit to meet him for beers lunch.

pictured: Jon, Scott "LazyCoder" Koon, Steve Harman

Extreme Geek Dinner at the Haack House

What happens when you get a bunch of terminally nerdy folks in a room together? They all stare at their laptops and ignore each other.

pictured: the HaHa brothers, PhilHa and ScottHa, preparing for their MVC talk the following day.

pictured: Jon, Steve Harman. Steve is dictating spec#, Jon does his best to keep up.

But, occasionally, a conversation breaks out:

pictured: Rob Conery, Jon, Steve

And, if you're lucky, pair programming is put to shame with tripartite programming:

pictured: Steve Harman tries to implicate Phil Haack  in an Subtext JavaScript impropriety, but Steve can't hide from SVN blame. Barry Dorrans witnesses the whole sordid affair.

ScottGu vs. KITT

Tuesday was great. I'm pretty sure I learned some interesting things about Silverlight, ASP.NET MVC, and .NET 4.0. But of course the highlight was a surprise ride in Scott Guthrie's brand new car! Arcwelder Dave tells it best:

This needs a little setup. At the end of the day Tuesday, Steve Harman, Jon Galloway, and myself were waiting around to go to building 42 with Rob Conery. Jon was on the phone with Rob, who said he was with Scott (Hanselman we assumed) and they'd pick us up. [...] So when Rob and Scott arrive, Rob calls Jon to say they are out front in a silver car. As we walk out we see Rob in a brand new Infiniti (high end model), at which point I'm thinking, "Damn, Hanselman has some balls to get that for his rental car". But who gets out of the driver side to open the trunk for our bags? Scott Guthrie, not Scott Hanselman. Rob sort of left out that little detail. Anyway, we rolled with it and enjoyed seeing ScottGu drop some f-bombs trying to figure out his new navigation system. Classic.

The Telligenti Presence

It sounds like scary Robert Ludlum novel. To tell the truth, and it kind of is mildly frightening. There are a lot of Telligent MVP's, and from the police reports it sounds like they did their best to destroy Seattle.

The ALT.NET Bad Boys

I got to say "hi" to the ALT.NET toughs, many of whom I'd met before at some point. These guys mostly scare me, and it has nothing to do with their programming methodologies. It's just that, when I talk to them, I get the feeling that I'm about to get shanked and tossed in a dumpster. But, I got to meet Ayende (Oren Eini) and Roy Osherove, and they both seemed nice enough.

What's funny about this picture is that you can't tell that Ayende is twice as tall as Roy. That's not to slight Roy, Ayende was twice as tall as everyone else at the conference. I saw him pick up a city bus with his bare hands, shake it,  put it back down, and walk slowly away muttering about unrolling loops in Boo. Also, Roy does an awesome impression of Ayende. Who knows, he may be doing an awesome impression of me right now.

OdeToAwesome

It was fun hanging out with K. Scott Allen. We worked together on the wildly popular ASP.NET 2.0 Anthology, and while this was the second time I've met him in person (the first being a Silverlight class he was proctoring in January), this time was way cooler. I believe it was Scott - excuse me, K. Scott - who turned me on to PointUI, a free UI program for Windows Mobile which I'm really enjoying.

Building 18 Cribs tour by Adam Kinney

Adam Kinney gave me a tour of the building 18. Lots of places were familiar from Channel 9 and Channel 10 videos. Adam and I have kept in touch since we met at TechEd 2004, and it was nice to hang out in his office and marvel at the cool decorations. A man in a full sized Channel 9 costume came by and gave us ice cream cones. Apparently that kind of thing goes on all the time in Building 18.

Steve Ballmer is Not a Dumb Man

The short video clips and tiny quotes of Steve Ballmer I've seen over the years try paint him as oafish. That is not at all the case. I saw him interviewed at MIX 08 by Guy Kawasaki, and came away very impressed with Steve. The final MVP Summit event was a question and answer session with Steve, and it just drove the point home. Steve Ballmer is a very sharp guy, and an absolute pleasure to listen to. If you haven't watched the video from Steve's MIX 08 interview, please do.

The Taphouse

The last day of the Summit, a bunch of Twitter folks got together at the Taphouse. That was a great way to finish off the trip.

pictured: Lots of geeks, posing for a picture, thinking about Twittering

pictured: Lots of geeks, Twittering

The Flight Home With Woody

Woody Pewitt, the local Microsoft Developer Evangelist, was probably really looking forward to a quiet, relaxing flight home after months on tour with The Code Trip. Alas, it was not to be. I sat next to him for the entire flight home, keeping him awake with conversations about our respective Naval careers, computer pranks, and how we got into computer programming. I didn't know Woody's experience with the programming community went back to Compuserve forums. Respect!

Encrypting Passwords in a .NET app.config File

I've been contributing to the Witty project lately. I'm a fan of Twitter, and it's nice to work on a popular WPF application with some hotshot coders including a WPF pro like Alan Le. Lately, I noticed that we were storing the user's password in plaintext application config file:

<setting name="Password" serializeAs="String"> 
    <value>OOPS-WE-STORED-THE-PASSWORD-IN-PLAINTEXT</value> 
</setting>

So, yeah, that's less than ideal. Foolishly, I volunteered to fix it. There's plenty of information on encrypting ASP.NET configuration settings in web.config files, but encrypting settings in a desktop application isn't as well documented. Here's what I came up with.

DPAPI, Papi!

The best way to encrypt configuration settings is with DPAPI, the Data Protection Application Programmer's Interface:

This Data Protection API (DPAPI) is a pair of function calls that provide OS-level data protection services to user and system processes. By OS-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data through encryption. Since the data protection is part of the OS, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI.

That sounds pretty good. But is it secure? Let's ask old man Wikipedia:

The keys used for encrypting the user's keys are stored under "%USERPROFILE%\Application Data\Microsoft\Protect\{SID}", where {SID} is the security identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 40 bytes of random data. DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns cryptext (or vice-versa).

DPAPI security relies upon the system's ability to protect the Master Key and RSA private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. Particular data binary large objects can be encrypted in a way that salt is added and/or an external user-provided password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option - i.e. under the control of the application developer - not controllable by the end user or IT professional.

Yeah, I didn't read it either. I did check the footnotes and saw that nobody's bragging about yoinking data out of it, though. And it has to  be better than storing passwords in plaintext. So, awesome, let's go for it!

The Nuclear Option: Encrypt The Whole Thing

The easiest way to deal with the problem is to just encrypt the entire section. That's because the ConfigurationSection knows how to protect itself, like so:

protected override void OnStartup(StartupEventArgs e) 
{ 
    // Lots of other important stuff here... 
    EncryptConfigSection("userSettings/Witty.Properties.Settings"); 
    base.OnStartup(e); 
}

private void EncryptConfigSection(string sectionKey)
{
    Configuration config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
    ConfigurationSection section = config.GetSection(sectionKey);
    if (section != null)
    {
        if (!section.SectionInformation.IsProtected)
        {
            if (!section.ElementInformation.IsLocked)
            {
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
                section.SectionInformation.ForceSave = true;
                config.Save(ConfigurationSaveMode.Full);
            }
        }
    }
}

Once we've done that, the entire settings section is encrypted and placed in a <CipherValue> block:

<userSettings>
 <Witty.Properties.Settings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAABbLHX[...]</CipherValue>
    </CipherData>
  </EncryptedData>
 </Witty.Properties.Settings>
</userSettings>

That's great from a security standpoint, but by encrypting everything, we've unnecessarily restricted access to all the information in the configuration file.

<userSettings> 
<Witty.Properties.Settings> 
  <setting name="Username" serializeAs="String"> 
    <value>UserNameGoesHere</value> 
  </setting> 
  <setting name="Password" serializeAs="String"> 
    <value>OOPS-WE-STORED-THE-PASSWORD-IN-PLAINTEXT</value> 
  </setting> 
  <setting name="RefreshInterval" serializeAs="String"> 
    <value>5</value> 
  </setting> 
  <setting name="LastUpdated" serializeAs="String"> 
    <value /> 
  </setting> 
  <setting name="PlaySounds" serializeAs="String"> 
    <value>True</value> 
  </setting> 
  ... 
</Witty.Properties.Settings> 
</userSettings>

So, what would be better is to encrypt just the password. To do that, we'll need to look into SecureString and System.Security.Cryptography.ProtectedData.

What's With The SecureString?

Like just about everything to do with ASP.NET development, David Hayden told us everything we need to know about SecureString years ago. The short story is that a System.String hangs around in memory until the garbage collector picks it up, so even if we're encrypting passwords or other sensitive data in our configuration file, it's possible to snag them from memory if we're using a standard System.String. SecureString uses our old friend DPAPI to encrypt values, so they're safe from memory snooping.

It's not as great as it sounds, though, because few API's accept or return SecureStrings. While it's a good practice to use SecureStrings when we can, we'll have to convert to and from standard System.String values at some point. While we're looking at security, we might as well use SecureStrings when possible, but we should keep in mind the fact that it's totally futile. Well, not that bad, but there are times where the sensitive information is still stored as insecure strings in memory.

Encrypting Strings with ProtectedData

So here's the actual meat of this post - the code I used to encrypt passwords in Witty's configuration. We've got two main methods, EncryptString and DecryptString. They both call in to ToSecureString and ToUnsecureString (great name, huh?) whose purpose should be pretty self-explanatory.

static byte[] entropy = System.Text.Encoding.Unicode.GetBytes("Salt Is Not A Password");

public static string EncryptString(System.Security.SecureString input)
{
    byte[] encryptedData = System.Security.Cryptography.ProtectedData.Protect(
        System.Text.Encoding.Unicode.GetBytes(ToInsecureString(input)),
        entropy,
        System.Security.Cryptography.DataProtectionScope.CurrentUser);
    return Convert.ToBase64String(encryptedData);
}

public static SecureString DecryptString(string encryptedData)
{
    try
    {
        byte[] decryptedData = System.Security.Cryptography.ProtectedData.Unprotect(
            Convert.FromBase64String(encryptedData),
            entropy,
            System.Security.Cryptography.DataProtectionScope.CurrentUser);
        return ToSecureString(System.Text.Encoding.Unicode.GetString(decryptedData));
    }
    catch
    {
        return new SecureString();
    }
}

public static SecureString ToSecureString(string input)
{
    SecureString secure = new SecureString();
    foreach (char c in input)
    {
        secure.AppendChar(c);
    }
    secure.MakeReadOnly();
    return secure;
}

public static string ToInsecureString(SecureString input)
{
    string returnValue = string.Empty;
    IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(input);
    try
    {
        returnValue = System.Runtime.InteropServices.Marshal.PtrToStringBSTR(ptr);
    }
    finally
    {
        System.Runtime.InteropServices.Marshal.ZeroFreeBSTR(ptr);
    }
    return returnValue;
}

Then we're pretty much set. When we want to encrypt passwords for storage, we'll make a call like this:

AppSettings.Password = EncryptString(ToSecureString(PasswordTextBox.Password));

And we can get the password back out with this kind of thing:

SecureString password = DecryptString(AppSettings.Password)

The payoff is that our configuration looks like this:

<Witty.Properties.Settings>
    <setting name="Username" serializeAs="String">
        <value>jongalloway</value>
    </setting>
    <setting name="Password" serializeAs="String">
        <value>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAV[lots more stuff that's not my password]</value>
    </setting>
    <setting name="RefreshInterval" serializeAs="String">
        <value>5</value>
    </setting>
    <setting name="LastUpdated" serializeAs="String">
        <value>4/11/2008 12:10:33 AM</value>
    </setting>
</Witty.Properties.Settings>

For further study:

http://msdn2.microsoft.com/en-us/library/system.configuration.dpapiprotectedconfigurationprovider.aspx

http://www.codeproject.com/KB/security/ProtectedConfigWinApps.aspx

http://www.builderau.com.au/program/dotnet/soa/Encrypting-NET-configuration-files-through-code/0,339028399,339281837,00.htm

February / March 2008 Recap

Summarizing Two Months For The Price Of One!

At the end of January, I published a monthl